PT-2026-40543 · Esm.Sh · Esm.Sh
Donttrytofindme
·
Published
2026-05-12
·
Updated
2026-06-25
·
CVE-2026-44594
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
esm.sh versions 137 and earlier
Description
A Local File Inclusion (LFI) issue exists in the esbuild plugin's handling of the
browser field within the package.json file. An attacker can publish a malicious npm package that leverages ../ sequences in the browser field to remap module paths. Because the plugin fails to perform a second validation check after this remapping, the server can be forced to read and return arbitrary files from the host filesystem during the build process. These files may appear in the bundled JavaScript output or the sourcesContent array of the source map. The impact includes the potential exposure of sensitive files, such as the config.json file, which may contain S3 storage credentials and npm registry authentication tokens.Recommendations
Update to a version later than 137.
As a temporary mitigation, restrict the use of the
browser field in package.json for untrusted npm packages.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Esm.Sh